Almost a decade after the Department of Defense developed rules requiring mandatory reporting of cyber incidents, on October 3, 2023, the Federal Acquisition Regulation (FAR) Council released new proposed rules—one addressing cyber incident reporting and another addressing cybersecurity requirements for contractors maintaining a Federal Information System (FIS). When enacted, these rules could implement new security measures and incident reporting requirements via FAR clauses for contractors across the entire federal government. The “Cyber Threat and Incident Reporting and Information Sharing” proposed rule focuses on increasing the sharing of information about cyber threats between government and private industry, while the “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” proposed rule focuses on implementing policies, procedures, and requirements for contractors maintaining an FIS. These rules implement Biden Administration initiatives pursuant to Executive Order (“EO”) 14028, “Improving the Nation’s Cybersecurity” issued in May 2021.
Cyber Threat and Incident Reporting and Information Sharing
The purpose of the “Cyber Threat and Incident Reporting and Information Sharing” proposed rule is to increase cyber threat and incident information sharing between the government and private industry. The rule aims to modernize federal cybersecurity defenses through the strengthening of the United States’ ability to respond to incidents. The rule includes several new requirements for contractors and new powers for federal agencies including CISA and the FBI. The government has specifically requested industry input regarding several of the proposed rule’s prominent features, which include the following requirements:
- Security Incident Reporting Representation: Requires contractors to certify that they have submitted all security incident reports in a current, accurate, and complete manner.
- Software Bills of Materials: Requires contractors to develop and maintain a software bill of materials (SBOM) for any software used in the course of performance of a contract.
- CISA Engagement Services: Requires contractors to cooperate with and allow access to CISA engagement services when needed for threat hunting and incident response, in order to give CISA visibility into systems to observe adversary activity.
- Access to Contractor Information and Information Systems: Requires contractors to provide full access to applicable contractor information, information systems, and personnel to CISA, the FBI, and the contracting agency in the event of a security incident either reported by the contractor or discovered by the government.
- Compliance Operating in a Foreign Country: Requires contractors and subcontractors to report security incidents and take additional actions to support incident response. However, contractors operating in certain foreign countries may also be subject to laws and regulations of those countries regarding what information may be provided to the U.S. government.
- Security Incident Reporting Harmonization: Requires contractors to investigate all indicators that a security incident may have occurred and submit information through the CISA reporting portal within 8 hours of discovery. Contractors are then required to update the submission every 72 hours until the incident has been remediated. The early reporting aims to give the government the opportunity to limit the extent of damage to its systems and data.
Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems
The proposed rule provides cybersecurity policies, procedures and requirements for contractors that develop or maintain a Federal Information System (FIS). The proposed rule defines an FIS as an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of an executive agency. The rule provides requirements for systems using non-cloud computing services and systems using cloud computing services under two new FAR clauses: “Federal Information Systems Using Non-Cloud Computer Services” and “Federal Information Systems Using Cloud Computing Services.” Contractors that use both on-premises and cloud computing services must comply with the requirements of both sets of policies, as applicable.
Federal Information Systems Using Non-Cloud Computing Services
This proposed FAR clause will be included in solicitations and contracts that use non-cloud computer services, also known as on-premises computer services. The proposed rule features several requirements, including:
- FIPS 199 Impact Level and Mandatory Security and Privacy Controls: Agencies awarding contracts will use Federal Information Processing Standard (FIPS) Publication 199 to categorize the FIS and identify the corresponding security and privacy controls for the FIS.
- Records Management and Government Access: Contractors must provide Federal agencies with timely and full access to government and government-related data, contractor personnel involved in performance of the contract, and, if under audit or investigation, physical access to any contractor facility with government data.
- Assessments: For systems designated as moderate or high impact under FIPS 199, contractors must (1) conduct a cyber threat hunting and vulnerability assessment at least annually and (2) perform an annual, independent assessment of the security of each FIS. Contractors must submit the results of the assessment, including any recommended improvements or risk mitigations to the contracting officer. The agency may, after review of the results, require the contractor to implement improvements or mitigations.
- Specification of Additional Security and Privacy Controls: Agencies must specify the appropriate security and privacy controls necessary under each contract. The controls will be based on the current version of the following documents: NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations;” NIST SP 800-213 “IOT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements;” NIST SP 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations;” and NIST SP 800-82, “Guide to Industrial Control Systems Security.” The rule also requires contractors to (1) develop and update an SSP to support the FIS and (2) have a contingency plan for all information systems that aligns with NIST SP 800-34, “Contingency Planning Guide for Federal Information Systems.”
- Subcontracts: Contractors must include the substance of the proposed clause in any subcontracts issued under the contract for development, implementation, operation, or maintenance of an FIS using non-cloud computing services.
Federal Information Systems Using Cloud Computing Services
The proposed FAR clause will be included in solicitations and contracts regarding any FIS that uses cloud computing services. The rule proposes several requirements for contractors, including the following:
- FIPS Impact Level and FedRAMP Authorization Level: The agency will first identify the FIPS 199 impact level for the FIS and the corresponding Federal Risk and Authorization Management Program (FedRAMP) authorization level for each cloud computing service within the contract.
- FedRAMP Security Controls: Contractors will be required to implement and maintain security and privacy controls according to the FedRAMP level specified by the contracting agency. Contractors must also engage in continuous monitoring activities and provide monitoring deliverables as required for FedRAMP approved capabilities.
- Maintenance of Certain Systems within the U.S.: Systems with FIPS 199 high impact ratings must maintain all government data within the United States or its outlying areas, unless specifically located on US Government premises outside the US or unless specified in the contract.
- Disposal of Government Data: The proposed rule requires contracts to provide and dispose of government data in the manner specified by the contract. Confirmation of disposal must be provided to the contracting officer.
The government will accept comments on these proposed rules until December 4, 2023.
New cybersecurity requirements await government contractors once these rules are finalized. To prepare for these changes, government contractors should understand what threat detection and vulnerability management solutions are currently in place in their systems and how these solutions will enable them to comply with the new information sharing requirements. Contractors should also determine if they operate a federal information system on behalf of a federal agency, as defined in the proposed rule and, if so, begin comparing their current cybersecurity compliance practices with the rule’s pending requirements, and prepare comments if their business will be affected by such changes. These proposed rules represent two of three long-awaited FAR cases to enhance and standardize cybersecurity requirements across the federal government (FAR Case 2021-017 and FAR Case 2021-019), and suggest that the third, FAR Case 2017-016, which seeks to amend the FAR to implement the NARA CUI program across the federal government, may soon reach publication.